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Abstract 

Traditional  approaches  to  information  sharing  use 
a  highly  conservative  approach  to  deduce  the  meta¬ 
data  for  an  output  object  x  derived  from  input  ob¬ 
jects  i/i,  2/2,  ■■■,  2 In  (e.g.:  maximum  over  the  se¬ 
curity  labels  of  all  input  objects).  Such  approaches 
does  not  account  for  functions  that  explicitly  down¬ 
grade  the  value  of  an  object.  Consequently,  the  se¬ 
curity  labels  in  traditional  approaches  tend  to  rnono- 
tonically  increase  as  newer  objects  are  derived  from 
existing  ones.  In  this  paper  we  present  a  novel  meta¬ 
data  calculus  for  securing  information  flows.  The 
metadata  calculus  defines  a  metadata  vector  space 
that  supports  a  time  varying  value  function  that 
is  computed  as  a  function  of  the  object’s  metadata 
and  operators  +  and  •  to  compute  the  metadata 
of  an  output  object  that  is  derived  by  downgrad¬ 
ing,  transforming  or  fusing  other  objects.  We  also 
describe  a  concrete  realization  of  our  metadata  cal¬ 
culus  wherein  the  tightness  of  our  value  estimates 
competes  in  an  optimization  problem.  We  present 
several  tradeoffs  with  space  and  accuracy  and  ex¬ 
plore  a  spectrum  of  solutions  ranging  from  conser¬ 
vative  to  risk-based  value  estimates. 

1  Introduction 

Large  corporations  are  slowly  being  transformed  from 
monolithic,  vertically  integrated  entities,  into  glob¬ 
ally  disaggregated  value  networks,  where  each  mem¬ 
ber  focuses  on  its  core  competencies  and  relies  on 
partners  and  suppliers  to  develop  and  deliver  goods 
and  services.  The  ability  of  multiple  partners  to 
come  together,  share  sensitive  business  information 
and  coordinate  activities  to  rapidly  respond  to  busi¬ 
ness  opportunities,  is  becoming  a  key  driver  for  suc¬ 
cess. 

The  defense  sector  too,  has  similar,  dynamic  in¬ 
formation  sharing  needs.  Traditional  wars  between 
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armies  of  nation-states  are  being  replaced  by  highly 
dynamic  missions  where  teams  of  soldiers,  strate¬ 
gists,  logisticians,  and  support  staff,  drawn  from 
a  coalition  of  military  organizations  as  well  as  lo¬ 
cal  (military  and  civilian)  authorities,  fight  against 
elusive  enemies  that  easily  blend  into  the  civilian 
population  [6] .  Securely  disseminating  mission  crit¬ 
ical  tactical  intelligence  to  the  pertinent  people  in  a 
timely  manner  will  be  a  critical  factor  in  a  mission’s 
success. 

While  it  is  clear  that  information  sharing  across 
organizational  boundaries  is  becoming  a  necessity, 
it  is  important  for  the  recipient  to  ensure  that  it 
receives  high  quality  information  from  the  sender. 
However,  for  a  sender  to  share  high  quality  infor¬ 
mation,  the  sender  needs  assurance  from  the  recip¬ 
ient  that  the  shared  information  will  not  be  mis¬ 
used  (e.g.:  unregulated  or  unintended  information 
disclosure).  Poor  quality  of  information  and  unau¬ 
thorized  information  disclosure  can  create  the  risk 
of  legal  liability,  financial  loss,  tarnished  reputation, 
or  in  some  environments,  a  loss  of  life.  Evidently, 
there  is  a  risk  related  tradeoff  between  the  quality  of 
information  and  information  misuse.  Understand¬ 
ing  this  tradeoff  minimally  requires  us  to  quantify 
the  value  of  information  being  shared. 

Unfortunately,  traditional  approaches  to  infor¬ 
mation  sharing  suffer  from  two  major  drawbacks. 
First,  they  use  fairly  static  security  labels  to  tag 
information,  and  thus  do  not  attempt  to  capture 
dynamic  attributes  of  tactical  information  such  as 
time  sensitivity,  accuracy,  etc.  The  value  of  a  piece 
of  information  (henceforth,  called  an  object)  is  com¬ 
puted  as  a  function  of  its  security  labels  (henceforth, 
called  metadata).  For  example,  Multi-Level  Secu¬ 
rity  (MLS)  labels  such  as  unclassified,  classified,  se¬ 
cret,  top  secret  are  used  to  enforce  mandatory  ac¬ 
cess  control  in  a  military  setting;  Decentralized  La¬ 
bel  Management  (DLM)  labels  each  object  with  al¬ 
low  and  deny  lists  and  regulates  information  flows 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

DEC  2008 

2.  REPORT  TYPE 

N/A 

3.  DATES  COVERED 

4.  TITLE  AND  SUBTITLE 

A  Metadata  Calculus  for  Securing  Information  Flows 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

IBM  TJ.  Watson  Research  Center 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release,  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

See  also  ADM002187.  Proceedings  of  the  Army  Science  Conference  (26th)  Held  in  Orlando,  Florida  on  1-4 
December  2008 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 
ABSTRACT 

uu 

18.  NUMBER 
OF  PAGES 

7 

19a.  NAME  OF 
RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


MLS 

DLM 

Metadata  of  x 

lx 

■A-xi  Dx 

Metadata  of  g{x i,  •  •  •  ,  xn ) 

max(lXl ,  •  •  •  ,lXn) 

nr-;  u  -i  ii.. 

Figure  1:  Metadata  Calculus 


based  ou  these  labels. 

Second,  traditional  approaches  to  information 
sharing  use  a  highly  conservative  approach  to  de¬ 
duce  the  metadata  for  an  output  object  x  derived 
from  input  objects  xi,  X2,  ■■■,  xn  (see  Figure  1). 
Such  approaches  does  not  account  for  functions  that 
explicitly  downgrade  the  value  of  an  object.  For 
example,  a  set  of  numeric  objects  may  be  statisti- 


approach  to  estimating  the  value  of  an  object.  Sec¬ 
tion  4  describes  a  calculus  for  succinctly  computing 
the  metadata  for  an  output  object  that  is  derived 
from  one  or  more  input  objects.  Finally  we  conclude 
the  paper  in  Section  5. 
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cally  downgraded  using  their  mean;  an  image  may  There  hag  been  significant  research  on  decentralized 
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aries. 

In  this  paper  we  present  a  novel  metadata  cal¬ 
culus  for  securing  information  flows.  We  capture 
an  object’s  metadata  using  a  vector  space  M.  and 
define  a  metadata  calculus  that  supports  the  follow¬ 
ing  primitives:  (i)  a  time  varying  value  function  F 
based  on  an  object’s  metadata,  and  (ii)  operators 
+  and  •  on  the  vector  space  M.  that  can  be  used 
to  compute  the  metadata  for  an  output  object  that 
is  derived  by  downgrading,  transforming  or  fusing 
other  objects.  We  also  describe  a  concrete  realiza¬ 
tion  of  our  metadata  calculus  wherein  the  tightness 
of  our  value  estimates  competes  in  an  optimization 
problem.  We  present  several  tradeoffs  with  space 
and  accuracy  and  explore  a  spectrum  of  solutions 
ranging  from  conservative  to  risk-based  value  esti¬ 
mates. 

The  rest  of  this  paper  is  organized  as  follows. 
Section  2  describes  related  work  on  risk  based  se¬ 
cure  information  flows.  Section  3  describes  meta¬ 
data  types  and  presents  an  information  theoretic 


usage  of,  a  secure  runtime  environment  of  another 
partner. 

Recently,  new  approaches  based  on  risk  estima¬ 
tion  and  economic  mechanisms  have  been  proposed 
for  enabling  the  sharing  of  information  in  dynamic 
environments  [1,  5].  These  approaches  are  based 
on  the  idea  that  the  sender  dynamically  computes 
an  estimate  of  the  risk  of  information  disclosure  in 
providing  information  to  a  receiver  based  on  the 
secrecy  of  the  information  to  be  divulged  and  the 
sender’s  estimate  on  the  trustworthiness  of  the  re¬ 
cipient.  The  sender  then  “charges”  the  receiver  for 
this  estimated  risk.  The  recipient,  in  turn,  can  de¬ 
cide  which  type  of  information  is  most  useful  to  him 
and  pay  only  to  access  that.  Entities  would  either 
be  given  a  line  of  risk  credit,  or  adopt  a  market- 
based  mechanism  to  “purchase  risk”  using  a  pseudo¬ 
currency.  Under  the  assumption  that  the  line  of 
risk  credit  or  the  risk  available  for  purchase  in  the 
market  is  limited,  an  entity  will  be  encouraged  to 
be  frugal  with  their  amassed  risk  credits  and,  con- 
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sequently,  reluctant  to  spend  them  unnecessarily. 
Since  all  information  flows  are  “charged”  against 
expected  losses  due  to  unauthorized  disclosure  and 
the  amount  of  risk  available  is  limited,  an  argument 
is  made  that  the  total  information  disclosure  risk 
incurred  by  an  organization  is  controlled. 

While,  as  a  concept,  using  risk  estimation,  charg¬ 
ing  for  risk  of  information  flows,  and  limited  risk 
credits  are  promising  ideas  for  enabling  information 
sharing  in  dynamic  environments,  the  existing  work 
in  this  area  [1,  5]  has  gaps  in  how  this  concept  can 
be  realized  to  enable  cross-organizational  secure  in¬ 
formation  flows  in  dynamic  environments  such  as 
between  organizations  or  partners  in  a  coalition.  In 
[1,  5,  8,  7],  while  risk  is  estimated  based  on  the  ob¬ 
ject  metadata  [9],  the  actual  formulas  or  examples 
use  static  credentials  (e.g.,  the  security  clearance  or 
category  set)  of  the  recipient,  rather  than  a  dynamic 
value  of  the  object.  Indeed,  the  value  of  most  tac¬ 
tical  information  tends  to  decrease  with  time  and 
evolve  as  the  object  is  downgraded,  transformed  or 
fused  with  other  objects.  In  this  paper  we  present 
a  novel  metadata  calculus  that  can  be  used  to  suc¬ 
cinctly  estimate  the  time  varying  value  of  tactical 
information  in  a  dynamic  coalition  setting. 


3  Metadata  Model 


In  this  section  we  describe  our  metadata  model.  For 
the  sake  of  simplicity  we  include  one  dynamic  at¬ 
tribute,  namely  time,  in  our  metadata  model.  We 
represent  the  metadata  for  an  object  x  as  a  vector 
x  in  a  vector  space  M..  M.  also  supports  an  unary 
operator  that  maps  x  £  M.  to  value  function:  T: 

where  T  denotes  an  integer  or  real 
number  field.  For  example,  x  =  (10,  2)  and  rx(t) 
=  max(10  —  2 1,  0)  or  r.T(f)  =  10e_2t.  The  value 
operator  T  satisfies  the  following  properties: 


x  C  y 


0  <  rx(f)  <  oo ,Vt 
dTx(t) 

- so'vt 
>  Tx(t)  <  Ty(t),\/t 


Constraining  the  value  of  object  to  non- negative  in¬ 
tegers  (or  real  numbers)  may  be  questionable.  One 
can  think  of  sources  of  disinformation  (misguiding 
information)  to  have  a  negative  value.  In  this  paper 
we  do  not  consider  pieces  of  information  that  are  in¬ 
tended  to  misguide  the  recipient.  In  the  absence  of 


disinformation,  the  value  of  information  is  mono¬ 
tonic,  that  is,  if  an  object  x  is  completely  contained 
in  object  y,  then  Tx(t)  <  Ty(t). 

The  value  of  an  output  object  x  computed  as 
g(yi,y2,  ■  ■  ■  ,yn)  is  computed  as  shown  by  an  em¬ 
pirical  formula  in  Equation  1,  where  Yt  =  {Yi,  •  •  • , 
Yi-i,  Yi+ 1,  •  •  • ,  Yn}  and  yi  =  {yi,  •  •  • ,  i,  yi+ 1, 

'  '  '  >  Un}- 


r  x(t)  =  ^r$(t)  * 

i=  1 


fYj\x(yi\x,B) 

fx\vSx\yi) 


(i) 


We  use  fx  to  denote  the  probability  distribution 
function  for  a  random  variable  X.  Value  computa¬ 
tion  uses  the  notion  of  self-information  expressed  as 
I{yi\x)  =  D(5yi  ||  fYi\x{yi\x))  =  -log(fY.\x(yi\x)), 
where  D(X  ||  Y)  denotes  KL-divergence  between 
probability  distributions  X  and  Y  and  5yi  denotes 
the  Dirac  delta  function  whose  value  is  one  when  V 
=  yt  and  zero  otherwise.  Intuitively  self-information 
I(yi\x)  denotes  the  number  of  additional  bits  that 
need  to  be  learnt  in  order  to  reconstruct  yt  given 
that  the  entity  knows  the  probability  distribution 
fYi \x-  Hence,  2~/(2/ik)  =  fYi\x(yi\x)  denotes  the 
fraction  of  information  about  yi  that  may  be  in¬ 
ferred  from  x.  We  remark  that  exact  reconstruc¬ 
tion  of  yi  may  not  be  required  for  certain  objects 
(e.g.:  geographical  location).  In  such  cases,  one  can 
replace  6Vi  by  some  probability  distribution  that  is 
centered  around  y . 

We  argue  that  Equation  1  satisfies  the  intuitive 
notion  of  object  downgrade,  transforms  and  fusion. 
In  the  rest  of  this  section,  we  demonstrate  the  appli¬ 
cability  of  Equation  1  to  a  wide  range  of  functions 
y(-)  ranging  from  arithmetic  functions,  database  op¬ 
erations  and  cryptographic  functions.  Figure  2,  3 
and  4  show  value  computations  for  some  sample 
functions  g.  We  use  B  to  denote  background  in¬ 
formation  known  to  the  consumer  of  object  x  such 
as  cryptographic  secrets. 

In  the  case  of  bijective  arithmetic  functions  (such 
as  x  =  g(yi)  =  y\  + 1),  we  note  that  given  x  and  the 
function  g ,  one  can  completely  recover  all  informa¬ 
tion  about  y\ .  Hence,  the  value  of  x  equals  the  value 
of  yi  for  all  time  instances  t.  On  the  other  hand, 
arithmetic  functions  such  as  x  =  y\  loose  informa¬ 
tion  on  2/1 ;  in  particular,  given  x  one  can  identify 
two  possible  values  for  y\  (namely,  ±y/x).  In  the 
absence  of  any  background  information  on  y\ ,  this 
results  in  an  entropy  loss  of  one  bit;  equivalently 
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Assume,  we  have  two  database  fields  Yi  and  l2- 
chosen  using  a  uniform  distribution  between  (0, 
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the  value  of  x  is  half  the  value  of  y\ .  However,  the 
recipient  were  to  know  that  y\  >  0,  then  there  is 
no  loss  of  information.  Functions  such  as  sum  and 
average  may  exhibit  different  information  loss  char¬ 
acteristics.  For  example,  let  us  suppose  x  =  y\  + 
y2.  If  the  recipient  knows  that  0  <  y\,  y2  <  5,  then 
given  x  =  0  (or  10),  it  can  obtain  all  information 
about  y\  and  2/2  respectively. 

For  database  operations,  we  recognize  the  need 
to  differentiate  between  union  and  join  operations. 
Union  operates  on  two  sets  of  the  same  type ;  for  ex¬ 
ample,  let  us  consider  sets  of  type  color  2/1  =  {red} 
and  2/2  =  {blue}.  Consequently,  union  of  two  sets 
does  not  result  in  any  additional  information  than 
the  input  sets.  On  the  other  hand,  join  operates  on 
two  sets  of  different  types ;  for  example,  let  us  con¬ 
sider  a  set  of  type  (x-coord,  id)  2/1  =  {(10,  id±)}  and 
a  set  of  type  (y-coord,  id)  2/2  =  {(5,  id\)}.  A  join  on 
2/1  and  2/2  reveals  the  (x,  y)  coordinates  of  the  entity 
(idi)  and  thus  has  significantly  more  information 
than  the  input  sets.  To  cite  another  example,  let 
us  consider  a  128-bit  cryptographic  key  K  =  L  ||  R 
of  value  V,  where  L  and  R  denote  the  left  and  the 
right  64-bites  of  a  128-bit  key  K.  One  might  argue 
that  the  value  of  L  and  R  is  2-64  *  V,  assuming 
the  key  I\  is  randomly  chosen  over  a  128-bit  field. 
Now,  let  us  consider  a  join  of  sets  of  type  (L,  kid) 
and  (R,  kid),  where  kid  denotes  key  identifier:  221 
=  {(Li,  kid\)}  and  222  =  {(-Ri,  kidf)}.  It  is  easy  to 
see  that  the  value  of  x  must  be  significantly  higher 
than  the  sum  of  values  221  and  222-  Indeed,  Equation 
1  amplifies  the  values  of  221  and  222  by  a  factor  of  264 
when  deriving  the  value  of  x. 

For  cryptographic  operations,  we  model  ideal 
behavior  using  a  0/1  value  relationship  with  the  in¬ 
put  object.  For  example,  using  an  ideal  encryption 
function  x  =  Ex(yi),  the  value  of  x  is  zero  if  the 
recipient  does  not  know  K\  otherwise,  the  value  of 
x  is  equal  to  the  value  of  2/1,  since  the  recipient 
can  recover  all  information  about  221  using  the  cor¬ 
responding  decryption  function  D  and  the  key  K . 

4  Metadata  Calculus 

In  this  section,  we  describe  a  metadata  calculus 
using  two  binary  operators  on  the  metadata  vec¬ 
tor  space  A4:  vector  addition  +:  and 

scalar  multiplication  •:  J-  where  T  de¬ 

notes  a  field  such  as  integers  or  real  numbers.  These 


Exact  sum  =  30-12t  for  t  <= . 
,and  10-2t  for  2  <  t  <=  5 


^/(30-6t):  conservative  estimate 
(24-6t):  Risky  estimate 


Figure  5:  Conservative  Vs  Risky  ‘+’  Operator 


binary  operators  satisfy  the  following  homomorphic 
properties: 

•  x  =  22!  +  222  4=>  Tx(t)  =  Ty[(t)  +  Ty2(t)  for 
all  t. 


•  x  =  a-y{  4=>  Fx(t)  =  a*Ty{(t)  for  all  t. 

In  addition,  they  also  satisfy  the  following  intu¬ 
itive  properties: 

•  Commutative:  For  any  y{,  2/2  €1  A4,  y{  +  2/2 
=  2/2  +  yi- 

•  Associative:  For  any  if,  y2,  ife  &  M,  y[  +  (y2 
+  m)  =  (m  +  2/2)  +  223- 

•  Zero  vector  0 :  For  any  221  6  -M ,  y[  +  0  =  2/1  • 

•  Distributive  over  +  in  M:  For  any  a  E  T, 
yi,  m  e  M,  a-(y{  +  222)  =  a-y\  +  a-222- 

•  Distributive  over  +  in  T :  For  any  a,  b  E  T , 
y{  G  M,  (a  +  b)-yi  =  a-yi  +  b-if. 

•  Distributive  over  ■  in  M:  For  any  a,  b  €  T , 
yi  G  M,  a-(b  -yl)  =  ( ab)-yi . 

•  Scalar  1  in  T :  For  any  221  G  M,  l-j/i  =  yi- 

Based  on  the  properties  described  above,  it  is  easy 
to  see  that  when  x  is  computed  as  g(yi,y2,  ■  ■  ■  ,  yn) 
then  the  metadata  x  can  be  computed  as  shown  in 
Equation  2.  Indeed  give  the  homomorphic  proper¬ 
ties  on  the  AA ,  we  can  show  that  Equation  2  implies 
Equation  1  for  all  time  t. 


x  = 


E 

i=  1 


fYj\x(yi\x,B) 

fxwMvi) 


-r-  ■  yi 


(2) 
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4.1  Realizing  the  Metadata  Calculus 

In  this  section,  we  describe  a  concrete  instantiation 
of  metadata  calculus.  Unfortunately,  there  exists 
no  vector  space  that  satisfies  all  the  required  ho¬ 
momorphic  properties.  In  this  section,  we  describe 
a  metadata  vector  space  and  value  functions  that 
satisfy  a  weaker  notion  of  homomorphism  as  shown 
in  Equation  3.  It  follows  from  Equation  3  that  our 
metadata  calculus  makes  conservative  estimates  on 
object  values. 

x  =  a  ■  y\  <=)■  Tx(t)  =  a*  Ty[(t),\/t 
x  =  yi  +  y2  =>  T x(t)  >  Ty{(t)  +  Ty2(t),\/t  (3) 


We  use  a  metadata  space  A4  =  ZxZ,  where  Z  de¬ 
notes  integer  field.  Given  x  =  (co,  ci),  Tx(t)  = 
max(co  —  ci  *  t,  0).  Given  x\  =  (eg,  cj)  and  x2  = 
(cq,  cj),  the  +  and  •  operators  are  defined  as  follows: 


X\  +  X2  =  Cq  +  Cq, 


a  ■  x\  =  (a*  Cq,  a  *  cj;) 
Cn  +  Cn 


ci  cl N 
max  |  ^f,  ^ 


Figure  5  illustrates  the  +  operator  on  yj  =  (10,  2) 
and  y2  =  (20,  10).  It  is  easy  to  see  that  Tyl(t)  + 
Ty2(t.)  is: 


Eyl(t)  +  Ty2(t) 


30  -  12t  if  t  <  2 
10-2 1  if  2  <  t  <  5 


•  Second,  we  can  represent  x  as  k  tuples  where 
each  tuple  describes  a  straight  line  within  some 
time  interval.  We  note  that  when  x  is  com¬ 
puted  as  a  function  of  y\,  ■  ■  ■ ,  yn,  then  the 
value  of  x  may  be  represented  by  at  most  n 
linear  constraints.  For  any  given  constant  k 
<  n,  we  can  compute  a  set  of  k  linear  con¬ 
straints  that  tightly  bounds  the  set  of  n  linear 
constraints.  We  note  that  increasing  k  allows 
us  to  compute  tighter  value  estimates  at  the 
cost  of  higher  storage  cost. 

•  Third,  we  could  permit  bounded  violations  to 
the  constraint  T(yj  +  y^)(t)  >  Tyl(f)  +  Tf2{t) 
for  some  instants  t.  One  can  quantify  the  risk 
(r+)  in  a  value  estimate  using  the  area  en¬ 
closed  by  the  region  wherein  our  value  esti¬ 
mate  is  lower  than  the  true  value  of  the  ob¬ 
ject;  similarly,  one  can  quantify  overestima¬ 
tion  (r_)  using  the  area  enclosed  by  the  region 
wherein  our  value  estimate  is  higher  than  the 
true  value  of  the  object.  We  formulate  two 
optimization  problems  that  allow  us  to  trade 
off  the  conservativeness  and  tightness  in  our 
estimates.  First,  we  can  restrict  the  risk  in  our 
value  estimate  to  at  most  X%  of  the  value  of 
the  object  (averaged  over  its  lifetime).  Sec¬ 
ond,  we  can  attempt  to  minimize  a  function 
of  risk  and  overestimation,  say  a*r+  —  r~ ,  for 
some  a  >  0. 


It  is  easy  to  that  the  above  equation  cannot  be 
represented  by  a  straight  line  and  thus  cannot  be 
mapped  into  a  metadata  vector  in  A4.  Hence,  we 
choose  the  least  conservative  straight  line  (30  —  6t) 
such  that  ryi(t)  +  Ty2(t)  <  30  —  6 1  for  all  t.  Indeed, 
there  are  several  options  to  ensure  that  our  value  es¬ 
timates  are  tighter  all  of  which  can  be  modeled  as 
optimization  problems. 

•  First,  we  can  increase  the  dimensionality  of 
the  metadata  vector  space  and  use  a  high  or¬ 
der  polynomial  for  Tx(t).  It  is  easy  to  see  that 
proposed  metadata  calculus  can  be  extended 
to  all  value  functions  that  are  polynomial  in 
time  t.  We  note  that  increasing  the  dimen¬ 
sionality  of  the  metadata  vector  allows  us  to 
compute  tighter  value  estimates  at  the  cost  of 
higher  storage  cost. 


5  Conclusion 

In  this  paper  we  have  presented  a  novel  metadata 
calculus  for  securing  information  flows  in  a  tacti¬ 
cal  setting.  The  metadata  calculus  defines  a  meta¬ 
data  vector  space  that  supports  a  time  varying  value 
function  that  is  computed  as  a  function  of  the  ob¬ 
ject’s  metadata  and  operators  +  and  •  to  compute 
the  metadata  of  an  output  object  that  is  derived 
by  downgrading,  transforming  or  fusing  other  ob¬ 
jects.  We  have  also  described  a  concrete  realization 
of  our  metadata  calculus  using  a  value  function  that 
is  polynomial  in  time  t.  We  have  formulated  the 
problem  of  finding  tight  value  estimates  as  various 
optimization  problems.  These  formulations  model 
various  tradeoffs  with  space  and  accuracy  and  ex¬ 
plore  a  spectrum  of  solutions  ranging  from  conser¬ 
vative  to  risk-based  value  estimates. 
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